[Snort-users] stream5 and http_inspect

Jack kingofnerds at ...11827...
Wed Sep 5 10:42:35 EDT 2012


Here is a list of ID's I put into my thresholds.conf file to filter
out some noisy rules
suppress gen_id 120, sig_id 3
suppress gen_id 129, sig_id 15
suppress gen_id 129, sig_id 12
suppress gen_id 129, sig_id 4
suppress gen_id 124, sig_id 9
suppress gen_id 1, sig_id 368
suppress gen_id 1, sig_id 366
suppress gen_id 1, sig_id 408
suppress gen_id 1, sig_id 402
suppress gen_id 1, sig_id 384
suppress gen_id 1, sig_id 396


I think one of those does match some of the stream5 stuff

On Wed, Sep 5, 2012 at 9:58 AM, Joel Esler <jesler at ...1935...> wrote:
> They sure do, in the preprocessors.rules (if you are using that)
>
> Otherwise, you can suppress them.
>
> --
> Joel Esler
> Senior Research Engineer, VRT
> OpenSource Community Manager
> Sourcefire
>
> On Sep 5, 2012, at 9:49 AM, Pratik Narang <pratik.cse.bits at ...11827...> wrote:
>
>> I am getting excessive number of stram5: TCP small segment threshold exceeded, and http_inspect: long header alerts. I do not want to disable these Preprocessors (stream5 is anyways needed for certain other preprocessors). So what should I do? I guess preprocessors dont really have a 'rule' which I can just comment so that it wont show up, right?
>>
>> Thanks.
>> ------------------------------------------------------------------------------
>> Live Security Virtual Conference
>> Exclusive live event will cover all the ways today's security and
>> threat landscape has changed and how IT managers can respond. Discussions
>> will include endpoint security, mobile security and the latest in malware
>> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/_______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>> Please visit http://blog.snort.org to stay current on all the latest Snort news!
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!



-- 
_____________________________________
 ---- In the end Nerds will Rule the World ----




More information about the Snort-users mailing list